CN113596016B - Malicious domain name detection method and device, electronic equipment and storage medium - Google Patents

Malicious domain name detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN113596016B
CN113596016B CN202110849203.8A CN202110849203A CN113596016B CN 113596016 B CN113596016 B CN 113596016B CN 202110849203 A CN202110849203 A CN 202110849203A CN 113596016 B CN113596016 B CN 113596016B
Authority
CN
China
Prior art keywords
domain name
code
malicious
detected
image
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110849203.8A
Other languages
Chinese (zh)
Other versions
CN113596016A (en
Inventor
茅开
崔翔
王忠儒
冀甜甜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dingniu Information Security Technology Jiangsu Co ltd
Beijing Digapis Technology Co ltd
Original Assignee
Dingniu Information Security Technology Jiangsu Co ltd
Beijing Digapis Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dingniu Information Security Technology Jiangsu Co ltd, Beijing Digapis Technology Co ltd filed Critical Dingniu Information Security Technology Jiangsu Co ltd
Priority to CN202110849203.8A priority Critical patent/CN113596016B/en
Publication of CN113596016A publication Critical patent/CN113596016A/en
Application granted granted Critical
Publication of CN113596016B publication Critical patent/CN113596016B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The disclosure relates to a malicious domain name detection method and device, an electronic device and a storage medium, wherein the method comprises the following steps: converting the domain name to be detected into a domain name image; generating a domain name code of the domain name to be detected according to the domain name image; determining a comparison code in a plurality of preset reference codes according to the domain name code; and determining whether the domain name to be detected is a malicious domain name or not according to the domain name code and the comparison code. According to the malicious domain name detection method disclosed by the embodiment of the disclosure, the domain name to be detected can be converted into the image, and whether the domain name to be detected is easy to be confused with the non-malicious code visually is judged by utilizing the code of the image and the code of the non-malicious domain name, so that whether the domain name to be detected is the malicious domain name is judged, the possibility that a user mistakenly clicks the malicious domain name due to visual similarity can be reduced, and the network security is improved.

Description

Malicious domain name detection method and device, electronic equipment and storage medium
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a malicious domain name detection method and apparatus, an electronic device, and a storage medium.
Background
The malicious domain name refers to a website with malicious links, and the website is usually provided with malicious codes such as trojans, virus programs and the like by utilizing bugs of application software or a browser, and induces a user to access by utilizing disguised website service contents. Once users enter these websites, they may cause the computers to become infected with malicious code, which may raise security concerns. Websites with malicious domain name links fall into two categories: phishing websites and malware websites. Phishing websites refer to websites that masquerade as websites of legitimate institutions such as banks or online stores, and attempt to trick users into entering user names, passwords, or other private information into their websites, which pose a threat to personal privacy and property security. Malware websites contain malicious code that hackers can use to obtain and transmit users' private or sensitive information by installing malware on their computers. Currently, the total amount of malicious domain names in a network is large, so that detection of malicious domain names has become a key research field of network security.
In the related art, detection of a malicious domain name is usually performed through entropy operation, distance algorithm, text feature extraction, and the like, for example, multiple feature fields and corresponding feature mean values may be obtained through multiple analyses and feature extraction of a domain name to be detected, and a detection result may be obtained by using a classification prediction model, or a domain name may be detected by using a neural network model to obtain a detection result.
However, in the above detection method, detection can be performed only for the text content of the domain name itself, and if the malicious domain name is similar to the real domain name visually, for example, the mail is similar to the m α il visually, it is difficult to avoid that the user clicks the malicious domain name by mistake.
Disclosure of Invention
The disclosure provides a malicious domain name detection method and device, electronic equipment and a storage medium.
According to an aspect of the present disclosure, there is provided a malicious domain name detection method, including: converting a domain name to be detected into a domain name image, wherein the content in the domain name image comprises the text content of the domain name to be detected; generating a domain name code of the domain name to be detected according to the domain name image; according to the domain name codes, determining comparison codes in a plurality of preset reference codes, wherein the reference codes are determined according to non-malicious domain names; and determining whether the domain name to be detected is a malicious domain name or not according to the domain name code and the comparison code.
In a possible implementation manner, the domain name code includes a first hash value of the domain name image, where generating the domain name code of the domain name to be detected according to the domain name image includes: preprocessing the domain name image to obtain an image to be encoded, wherein the preprocessing comprises at least one of scaling processing, gray level processing and binarization processing; and converting the image to be coded into binary coding to obtain a first hash value of the domain name image.
In one possible implementation, the method further includes: respectively converting the non-malicious domain names into reference images, wherein the content in each reference image is the text content of the corresponding non-malicious domain name; and generating a reference code of each non-malicious domain name according to each reference image.
In a possible implementation manner, the domain name code includes a first hash value of the domain name image, and the reference code includes a second hash value of the reference image, where determining a comparison code from a plurality of preset reference codes according to the domain name code includes: according to the first hash value, determining a third hash value with the minimum difference value with the first hash value in second hash values of a plurality of reference images; determining the third hash value as the comparison code.
In a possible implementation manner, determining whether the domain name to be detected is a malicious domain name according to the domain name code and the comparison code includes: determining a first number of data bits in the domain name code and the comparison code that are inconsistent; and determining that the domain name to be detected is a malicious domain name under the condition that the first number is smaller than or equal to a preset number threshold.
In one possible implementation, the method further includes: and determining the domain name to be detected which is different from the text content of each non-malicious domain name in the plurality of first domain names according to the text content of the non-malicious domain names.
In one possible implementation, the method further includes: and generating warning information under the condition that the domain name to be detected is a malicious domain name.
According to an aspect of the present disclosure, there is provided a malicious domain name detection apparatus, the apparatus including: the image conversion module is used for converting the domain name to be detected into a domain name image, wherein the content in the domain name image comprises the text content of the domain name to be detected; the encoding module is used for generating the domain name code of the domain name to be detected according to the domain name image; the comparison module is used for determining a comparison code in a plurality of preset reference codes according to the domain name code, wherein the reference code is determined according to a non-malicious domain name; and the judging module is used for determining whether the domain name to be detected is a malicious domain name or not according to the domain name code and the comparison code.
In one possible implementation, the domain name code includes a first hash value of the domain name image, and the encoding module is further configured to: preprocessing the domain name image to obtain an image to be encoded, wherein the preprocessing comprises at least one of scaling processing, gray level processing and binarization processing; and converting the image to be coded into binary coding to obtain a first hash value of the domain name image.
In one possible implementation, the apparatus further includes: a reference code determining module, configured to convert the non-malicious domain names into reference images, respectively, where content in each reference image is text content of a corresponding non-malicious domain name; and generating a reference code of each non-malicious domain name according to each reference image.
In one possible implementation, the domain name code includes a first hash value of the domain name image, the reference code includes a second hash value of the reference image, and the comparison module is further configured to: according to the first hash value, determining a third hash value with the minimum difference value with the first hash value in second hash values of a plurality of reference images; determining the third hash value as the comparison code.
In a possible implementation manner, the determining module is further configured to: determining a first number of data bits in the domain name code and the comparison code that are inconsistent; and determining that the domain name to be detected is a malicious domain name under the condition that the first number is smaller than or equal to a preset number threshold.
In one possible implementation, the apparatus further includes: and the screening module is used for determining the domain name to be detected which is different from the text content of each non-malicious domain name in the plurality of first domain names according to the text content of the non-malicious domain names.
In one possible implementation, the apparatus further includes: and the warning module is used for generating warning information under the condition that the domain name to be detected is a malicious domain name.
According to an aspect of the present disclosure, there is provided an electronic device including: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to invoke the memory-stored instructions to perform the above-described method.
According to an aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the above-described method.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure. Other features and aspects of the present disclosure will become apparent from the following detailed description of exemplary embodiments, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and, together with the description, serve to explain the principles of the disclosure.
Fig. 1 shows a flow diagram of a malicious domain name detection method according to an embodiment of the present disclosure;
fig. 2 shows a schematic diagram of a domain name image according to an embodiment of the present disclosure;
fig. 3A and 3B illustrate application diagrams of a malicious domain name detection method according to an embodiment of the present disclosure;
fig. 4 shows a block diagram of a malicious domain name detection apparatus according to an embodiment of the present disclosure;
FIG. 5 shows a block diagram of an electronic device according to an embodiment of the disclosure;
fig. 6 illustrates a block diagram of an electronic device in accordance with an embodiment of the disclosure.
Detailed Description
Various exemplary embodiments, features and aspects of the present disclosure will be described in detail below with reference to the accompanying drawings. In the drawings, like reference numbers can indicate functionally identical or similar elements. While the various aspects of the embodiments are presented in drawings, the drawings are not necessarily drawn to scale unless specifically indicated.
The word "exemplary" is used exclusively herein to mean "serving as an example, embodiment, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.
The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the term "at least one" herein means any one of a plurality or any combination of at least two of a plurality, for example, including at least one of A, B, C, and may mean including any one or more elements selected from the group consisting of A, B and C.
Furthermore, in the following detailed description, numerous specific details are set forth in order to provide a better understanding of the present disclosure. It will be understood by those skilled in the art that the present disclosure may be practiced without some of these specific details. In some instances, methods, means, elements and circuits that are well known to those skilled in the art have not been described in detail so as not to obscure the present disclosure.
Fig. 1 shows a flowchart of a malicious domain name detection method according to an embodiment of the present disclosure, and as shown in fig. 1, the malicious domain name detection method includes:
in step S11, converting a domain name to be detected into a domain name image, where the content in the domain name image includes text content of the domain name to be detected;
in step S12, generating a domain name code of the domain name to be detected according to the domain name image;
in step S13, determining a comparison code from a plurality of preset reference codes according to the domain name code, where the reference code is determined according to a non-malicious domain name;
in step S14, it is determined whether the domain name to be detected is a malicious domain name according to the domain name code and the comparison code.
According to the malicious domain name detection method disclosed by the embodiment of the disclosure, the domain name to be detected can be converted into the image, and whether the domain name to be detected is easy to be confused with the non-malicious code visually is judged by utilizing the code of the image and the code of the non-malicious domain name, so that whether the domain name to be detected is the malicious domain name is judged, the possibility that a user mistakenly clicks the malicious domain name due to visual similarity can be reduced, and the network security is improved.
In one possible implementation, the malicious domain name detection method may be performed by an electronic device such as a terminal device or a server, where the terminal device may be a User Equipment (UE), a mobile device, a User terminal, a cellular phone, a cordless phone, a Personal Digital Assistant (PDA), a handheld device, a computing device, a vehicle-mounted device, a wearable device, or the like, and the method may be implemented by a processor calling a computer readable instruction stored in a memory. Alternatively, the method may be performed by a server.
In one possible implementation, some malicious domain names mislead the user click by using visual similarity with some legitimate domain names, for example, the mail is visually similar to the m α il, and the user may mistake the malicious domain name with the m α il field for a legitimate domain name (non-malicious domain name) with the mail field, so that the click is mistaken, and the network security vulnerability is caused.
In one possible implementation, to address the above problem, it may be determined for visual similarity whether the domain name to be detected is one that is fraudulent to the user by imitating some legitimate domain name. If the difference between the text of a certain domain name and the text of a certain legal domain name is small, whether the visual difference between the domain name and the legal domain name is small can be distinguished, and if the visual difference is also small, the domain name can be a malicious domain name, namely, the legal domain name is imitated, and the domain name clicked by a user is misguided. For example, a certain domain name includes an m α il field, a certain legal domain name includes a mail field, and other fields except the field are completely consistent, in the two domain names, the characters with difference are "a" and "α", the two letters have higher visual similarity, the difference between the text of the domain name and the text of the legal domain name is very small, and the visual difference is also very small, so that the domain name can be considered as a malicious domain name, that is, the domain name misled by the user to click is imitated by the legal domain name. If a certain domain name and a legal domain name have small text difference but large visual difference, the domain name may not be a malicious domain name, that is, there is no case of misleading a user click through visual similarity, for example, the legal domain name includes abc field and the domain name includes abz field, although there is only one literal difference, the visual difference between "c" and "z" is large, therefore, the domain name does not imitate the malicious domain name of the legal domain name, and there is no case of misleading the user click through visual similarity.
In one possible implementation, a non-malicious legitimate domain name may be determined first, and in an example, the malicious domain name is transformed to mostly resemble a domain name in Alexa Top 100w (i.e., a legitimate domain name that ranks 100 ten thousand Top network traffic), constituting an illegitimate domain name, e.g., a visually similar transformation. Multiple legitimate domain names in Alexa Top 100w may be used as non-malicious domain names for reference.
In one possible implementation, when detecting whether one or more domain names are malicious domain names, it may be determined whether the domain names belong to non-malicious domain names in the Alexa Top 100w, and if not, further detection may be performed. If one or some domain names belong to the domain names in the Alexa Top 100w, the domain names are legal non-malicious domain names. The method further comprises the following steps: and determining the domain name to be detected which is different from the text content of each non-malicious domain name in the plurality of first domain names according to the text content of the non-malicious domain names. In an example, in a certain web page, a plurality of links exist, each link has a corresponding first domain name, the first domain names of the links in the web page may be summarized to obtain a domain name list, and the text of the first domain name in the domain name list is compared with the text of the domain name in Alexa Top 100w, if the text of one or more first domain names in the domain name list is completely consistent with the text of the domain name in Alexa Top 100w, the one or more first domain names are legal non-malicious domain names belonging to Alexa Top 100w, and the domain names do not need to be further detected and can be directly determined to be non-malicious domain names. If the texts of other first domain names in the domain name list are different from the legal non-malicious domain names of the Alexa Top 100w, the first domain names need to be used as domain names to be detected for further detection, so as to judge whether the first domain names are malicious domain names.
In a possible implementation manner, after the domain name to be detected is determined, the domain name to be detected may be further detected to determine whether the domain name to be detected is a malicious domain name, that is, whether the domain name to be detected is a malicious domain name that misleads a user to click by using the characteristic of high visual similarity with a non-malicious domain name. In step S11, the domain name to be detected may be converted into a domain name image, so as to determine the visual effect and the visual similarity with the non-malicious domain name of the domain name to be detected through the image.
In an example, the content in the domain name image includes text content of the domain name to be detected, e.g., the text content included in the domain name image is consistent with a font type, size, layout, etc. of the domain name to be detected.
Fig. 2 is a schematic diagram of a domain name image according to an embodiment of the present disclosure, and as shown in fig. 2, a domain name whose text content is "abc" may be converted into a domain name image, where the content in the domain name image is a picture of the text "abc", and the font type, size, and layout of the text in the picture are consistent with the text content of the domain name itself. The text content of the domain name to be detected is not limited by the present disclosure.
In one possible implementation, the visual similarity between the domain name to be detected and the non-malicious domain name in the Alexa Top 100w can be determined through a domain name image. In step S12, the domain name image may be encoded, the domain name code obtained, and the visual similarity determined by the domain name code and the encoding of the non-malicious domain name in Alexa Top 100 w.
In one possible implementation, the encoding may include a plurality of encoding modes, for example, encoding through a neural network or the like. Taking encoding by a perceptual hash algorithm as an example, the domain name code obtained by the encoding method includes a perceptual hash value of the domain name image, that is, a first hash value. The step can include preprocessing the domain name image to obtain an image to be encoded, wherein the preprocessing includes at least one of scaling processing, gray level processing and binarization processing; and converting the image to be coded into binary coding to obtain a first hash value of the domain name image.
In a possible implementation manner, the perceptual hash algorithm includes an ahash algorithm, a dhash algorithm, a whash algorithm, a colorhash algorithm, and the like, and taking the ahash algorithm as an example, the domain name image may be encoded by the ahash algorithm to obtain a first hash value of the domain name image. The present disclosure does not limit the categories of algorithms that the perceptual hash algorithm includes and the algorithms that are selected.
In a possible implementation manner, the above encoding process may include preprocessing the domain name image to improve the accuracy of the obtained domain name encoding. In an example, the domain name image may be scaled, for example, to a size of 8 × 8 or 32 × 32, and the domain name image may be compared with the encoding of the non-malicious domain name in a uniform size. And the scaled image is subjected to gray processing and binarization processing to remove the color of the image and obtain a black and white image, so that the encoding error caused by color information is avoided, for example, in a webpage, texts of some domain names are displayed in colored fonts, and the converted domain name image is also a colored image, so that the colored image can be subjected to gray processing and binarization processing and converted into a black and white image to be encoded, the interference of color information can be eliminated, and only text contents are compared with non-malicious domain names. For example, after the gray scale processing is performed, each pixel point in the image does not have color information any more, further, an average value of the pixel values of each pixel point may be calculated, and binarization processing is performed based on the average value, for example, the pixel value of the pixel point whose pixel value is greater than the average value is set to 1, and the pixel value of the pixel point whose pixel value is less than the average value is set to 0, so as to obtain a black-and-white image to be encoded. The present disclosure is not limited to a particular manner of pretreatment.
In a possible implementation manner, after the preprocessing, the image to be encoded may be converted into a binary code, for example, pixel values in a binary black-and-white image (image to be encoded) may be extracted to obtain the binary code, or the image to be encoded may be processed through a neural network to obtain the binary code, and the disclosure does not limit the method of converting into the binary code. After the conversion, a first hash value of the domain name image can be obtained.
In one possible implementation manner, the comparison code of the domain name image may be compared with the code of the non-malicious domain name in the Alexa Top 100w to determine the visual similarity between the domain name to be detected and the non-malicious domain name. In an example, the non-malicious domain names in the Alexa Top 100w may be processed in the same manner as described above, and the reference code of each non-malicious domain name may be obtained for comparison with the domain name code. The method further comprises the following steps: respectively converting the non-malicious domain names into reference images, wherein the content in each reference image is the text content of the corresponding non-malicious domain name; and generating a reference code of each non-malicious domain name according to each reference image. In an example, each non-malicious domain name may be converted into a reference image, the reference image may be preprocessed in the same manner as described above, and then the preprocessed black-and-white image may be converted into a binary code, so as to obtain a reference code of each non-malicious domain name, for example, a second hash value of each non-malicious domain name. The present disclosure does not limit the manner in which the reference encoding is obtained.
In a possible implementation manner, a database of reference codes of non-malicious domain names may be established, for example, the reference codes of the non-malicious domain names in the Alexa Top 100w may be written into the database, and the domain names of certain domains may be added to the database after being judged as the non-malicious domain names.
In a possible implementation manner, the domain name code of the domain name to be detected may be compared with the reference code in the database to determine a comparison code, and the visual similarity between the non-malicious domain name corresponding to the comparison code and the domain name to be detected is the highest. Whether the domain name to be detected is a malicious domain name can be further determined by comparing the codes. For example, if the domain name to be detected does not belong to a known non-malicious domain name, and the visual similarity with a certain known non-malicious domain name (the non-malicious domain name corresponding to the comparison code) is high, the domain name to be detected can be considered as a malicious domain name that mimics the appearance of the non-malicious domain name and attempts to mislead the user to click on. On the contrary, if the domain name to be detected does not belong to the known non-malicious domain name, but the visual similarity with the known non-malicious domain name is not high (for example, the non-malicious domain name corresponding to the comparison code is the domain name with the highest visual similarity with the domain name to be detected, and if the visual similarity between the domain name to be detected and the non-malicious domain name is not high, the visual similarity between the domain name to be detected and all the non-malicious domain names in the Alexa Top 100w is considered to be not high), the domain name to be detected is considered not to mislead the domain name clicked by the user by simulating the appearance of the non-malicious domain name.
In a possible implementation manner, referring to the above manner, in step S13, a domain name with the highest visual similarity to the domain name to be detected may be determined in the plurality of non-malicious domain names, for example, a comparison code closest to the domain name code is determined by using a reference code of each non-malicious domain name and the domain name code of the domain name to be detected, and the non-malicious domain name corresponding to the comparison code is the domain name with the highest visual similarity to the domain name to be detected. In an example, the domain name code includes a first hash value, and the reference code is a second hash value, and then the comparison code can be determined from the plurality of reference codes by the first hash value and the second hash value.
In one possible implementation, step S13 may include: according to the first hash value, determining a third hash value with the minimum difference value with the first hash value in second hash values of a plurality of reference images; determining the third hash value as the comparison code.
In an example, the first hash value and the second hash value are binary codes obtained by converting pixel values of pixels of a black-and-white image with the same size, and the lengths of the first hash value and the second hash value are equal, for example, the domain name image and the reference image are both 8 × 8 images, and the first hash value and the second hash value are both 64-bit binary codes.
In a possible implementation manner, the first hash value may be respectively subtracted from each of the second hash values, a difference between the first hash value and each of the second hash values is determined, and then a second hash value having a smallest difference from the first hash value, that is, a third hash value, is determined. Further, the third hash value may be encoded as a comparison. That is, the non-malicious domain name with the smallest difference between the hash values can be used as the non-malicious domain name with the highest visual similarity to the domain name to be detected.
In a possible implementation manner, after the comparison code and the non-malicious domain name with the highest visual similarity to the domain name to be detected are determined, whether the domain name to be detected imitates the domain name to be detected in appearance can be further determined so as to attempt to mislead the user to click. In an example, the determination may be made by comparing the difference between the encoding and the domain name encoding. As described above, the visual similarity between the domain name to be detected and the non-malicious domain name can be determined based on the codes thereof, and the smaller the difference of the codes, the higher the visual similarity.
In an example, since the hash value (i.e., binary code) is obtained by converting the pixel value in the black-and-white image, the more the number of consistent data bits in each data bit of the hash value, the more the pixel points with the same pixel value in the black-and-white image are, the higher the visual similarity is, and the more the number of inconsistent data bits is, the less the pixel points with the same pixel value in the black-and-white image is, the lower the visual similarity is. Therefore, whether the domain name to be detected imitates a non-malicious domain name in appearance can be determined according to the number of inconsistent data bits so as to mislead the user to click.
In one possible implementation, step S14 may include: determining a first number of data bits in the domain name code and the comparison code that are inconsistent; and determining that the domain name to be detected is a malicious domain name under the condition that the first number is smaller than or equal to a preset number threshold.
In a possible implementation manner, if the first number of inconsistent data bits in the domain name code and the comparison code is small, the domain name to be detected is considered to be different from the non-malicious domain name, but the visual similarity is high, and the domain name to be detected is considered to be an appearance imitating the non-malicious domain name, and an attempt is made to mislead the malicious domain name clicked by the user. Otherwise, the visual similarity between the domain name to be detected and the non-malicious domain name is not high, and the domain name clicked by the user is not misled by using the appearance similarity.
In an example, a number threshold may be preset, and if the first number of inconsistent data bits in the domain name coding and the comparison coding is less than or equal to the preset number threshold, the visual similarity between the domain name to be detected and the non-malicious domain name may be considered to be high, and the domain name to be detected may be determined to be a malicious domain name. On the contrary, if the first number is greater than the number threshold, the visual similarity between the domain name to be detected and the non-malicious domain name is considered to be low, and the domain name to be detected does not mislead the domain name clicked by the user by using the apparent similarity.
In one possible implementation, the method further includes: and generating warning information under the condition that the domain name to be detected is a malicious domain name. For example, if it is detected that a malicious domain name exists in a plurality of domain names included in a certain web page by the above method, warning information may be generated near the domain name to prompt the user that the domain name is a malicious domain name, the domain name is only a domain name similar to a certain non-malicious domain name in appearance, but not the non-malicious domain name, and the user may be prompted not to click the malicious domain name, so as to avoid causing a network security problem.
According to the malicious domain name detection method, the domain name to be detected can be converted into the image, whether the domain name to be detected is easy to confuse with the non-malicious code visually is judged by the number of data bits inconsistent in the code of the image and the code of the non-malicious domain name, whether the domain name to be detected is the malicious domain name misleading a user to click by using higher visual similarity with a certain legal domain name is further judged, the possibility that the user mistakenly clicks the malicious domain name due to the visual similarity can be reduced, and the network security is improved.
Fig. 3A and 3B are schematic diagrams illustrating an application of the malicious domain name detection method according to the embodiment of the present disclosure, and as shown in fig. 3A, a domain name to be detected may be converted into a domain name image, and encoded to obtain a domain name code. And a plurality of non-malicious domain names in the Alexa Top 100w can be subjected to image conversion and encoding in the same way, so as to obtain a plurality of reference codes. And then, a comparison code closest to the domain name code can be determined in the plurality of reference codes, and whether the domain name to be detected is a malicious domain name or not can be determined by comparing the data bits of the comparison code and the domain name code. For example, the comparison code and the domain name code are both codes obtained by converting an image into a binary code, and the less the inconsistent data bits of the two codes, the more pixel points with the same pixel value in the images corresponding to the two codes are considered, that is, the higher the visual similarity is. If the inconsistent data bits are less than the preset threshold, the domain name to be detected is different from the non-malicious domain name, but the similarity between the appearance and the non-malicious domain name is high, and the domain name to be detected can be considered as the malicious domain name misleading the user to click by utilizing the similarity between the appearance and the non-malicious domain name. Otherwise, the domain name to be detected can be regarded as the non-malicious domain name.
As shown in fig. 3B, a domain name includes an m α il field, and may be a domain name image whose image content is "m α il" after image conversion is performed, and may be encoded to obtain a first hash value, that is, a first row of binary codes in fig. 3B. Further, in the reference code, a comparison code, i.e., a second hash value corresponding to the "mail" field, i.e., a second row two code in fig. 3B, may be determined.
In an example, the number of data bits in the first hash value that do not match the second hash value may be determined, e.g., 1 data bit in the first hash value does not match the second hash value in fig. 3B. The number threshold may be preset, for example, the number threshold is 5, and therefore, the number of inconsistent data bits is smaller than the number threshold, and therefore, the visual similarity between the domain name to be detected and the non-malicious domain name is considered to be high, and the domain name to be detected is considered to be a malicious domain name that misleads a user to click by using the apparent similarity.
In a possible implementation manner, the malicious domain name detection method can be used for detecting a malicious domain name misleading a user to click by using visual similarity in scenes including at least one domain name, such as a webpage, a list and the like, so that the network security is improved, and the risk of mistakenly clicking the malicious domain name by the user is reduced. The application scene of the malicious domain name detection method is not limited by the disclosure.
Fig. 4 shows a block diagram of a malicious domain name detection apparatus according to an embodiment of the present disclosure, and as shown in fig. 4, the apparatus includes: the image conversion module 11 is configured to convert a domain name to be detected into a domain name image, where content in the domain name image includes text content of the domain name to be detected; the encoding module 12 is configured to generate a domain name code of the domain name to be detected according to the domain name image; the comparison module 13 is configured to determine a comparison code from a plurality of preset reference codes according to the domain name code, where the reference code is determined according to a non-malicious domain name; and the judging module 14 is configured to determine whether the domain name to be detected is a malicious domain name according to the domain name code and the comparison code.
In one possible implementation, the domain name code includes a first hash value of the domain name image, and the encoding module is further configured to: preprocessing the domain name image to obtain an image to be encoded, wherein the preprocessing comprises at least one of scaling processing, gray level processing and binarization processing; and converting the image to be coded into binary coding to obtain a first hash value of the domain name image.
In one possible implementation, the apparatus further includes: a reference code determining module, configured to convert the non-malicious domain names into reference images, respectively, where content in each reference image is text content of a corresponding non-malicious domain name; and generating a reference code of each non-malicious domain name according to each reference image.
In one possible implementation, the domain name code includes a first hash value of the domain name image, the reference code includes a second hash value of the reference image, and the comparison module is further configured to: according to the first hash value, determining a third hash value with the minimum difference value with the first hash value in second hash values of a plurality of reference images; determining the third hash value as the comparison code.
In a possible implementation manner, the determining module is further configured to: determining a first number of data bits in the domain name code and the comparison code that are inconsistent; and determining that the domain name to be detected is a malicious domain name under the condition that the first number is smaller than or equal to a preset number threshold.
In one possible implementation, the apparatus further includes: and the screening module is used for determining the domain name to be detected which is different from the text content of each non-malicious domain name in the plurality of first domain names according to the text content of the non-malicious domain names.
In one possible implementation, the apparatus further includes: and the warning module is used for generating warning information under the condition that the domain name to be detected is a malicious domain name.
It is understood that the above-mentioned method embodiments of the present disclosure can be combined with each other to form a combined embodiment without departing from the logic of the principle, which is limited by the space, and the detailed description of the present disclosure is omitted. Those skilled in the art will appreciate that in the above methods of the specific embodiments, the specific order of execution of the steps should be determined by their function and possibly their inherent logic.
In addition, the present disclosure also provides a malicious domain name detection apparatus, an electronic device, a computer-readable storage medium, and a program, which can be used to implement any one of the malicious domain name detection methods provided by the present disclosure, and the corresponding technical solutions and descriptions and corresponding descriptions in the methods section are not repeated.
In some embodiments, functions of or modules included in the apparatus provided in the embodiments of the present disclosure may be used to execute the method described in the above method embodiments, and specific implementation thereof may refer to the description of the above method embodiments, and for brevity, will not be described again here.
Embodiments of the present disclosure also provide a computer-readable storage medium having stored thereon computer program instructions, which when executed by a processor, implement the above-mentioned method. The computer readable storage medium may be a non-volatile computer readable storage medium.
An embodiment of the present disclosure further provides an electronic device, including: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to invoke the memory-stored instructions to perform the above-described method.
The embodiments of the present disclosure also provide a computer program product, which includes computer readable code, and when the computer readable code runs on a device, a processor in the device executes instructions for implementing the malicious domain name detection method provided in any of the above embodiments.
The embodiments of the present disclosure also provide another computer program product for storing computer readable instructions, which when executed cause a computer to perform the operations of the malicious domain name detection method provided in any of the above embodiments.
The electronic device may be provided as a terminal, server, or other form of device.
Fig. 5 illustrates a block diagram of an electronic device 800 in accordance with an embodiment of the disclosure. For example, the electronic device 800 may be a mobile phone, a computer, a digital broadcast terminal, a messaging device, a game console, a tablet device, a medical device, a fitness device, a personal digital assistant, or the like terminal.
Referring to fig. 5, electronic device 800 may include one or more of the following components: processing component 802, memory 804, power component 806, multimedia component 808, audio component 810, input/output (I/O) interface 812, sensor component 814, and communication component 816.
The processing component 802 generally controls overall operation of the electronic device 800, such as operations associated with display, telephone calls, data communications, camera operations, and recording operations. The processing components 802 may include one or more processors 820 to execute instructions to perform all or a portion of the steps of the methods described above. Further, the processing component 802 can include one or more modules that facilitate interaction between the processing component 802 and other components. For example, the processing component 802 can include a multimedia module to facilitate interaction between the multimedia component 808 and the processing component 802.
The memory 804 is configured to store various types of data to support operations at the electronic device 800. Examples of such data include instructions for any application or method operating on the electronic device 800, contact data, phonebook data, messages, pictures, videos, and so forth. The memory 804 may be implemented by any type or combination of volatile or non-volatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
The power supply component 806 provides power to the various components of the electronic device 800. The power components 806 may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the electronic device 800.
The multimedia component 808 includes a screen that provides an output interface between the electronic device 800 and a user. In some embodiments, the screen may include a Liquid Crystal Display (LCD) and a Touch Panel (TP). If the screen includes a touch panel, the screen may be implemented as a touch screen to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense an edge of a touch or slide action, but also detect a duration and pressure associated with the touch or slide operation. In some embodiments, the multimedia component 808 includes a front facing camera and/or a rear facing camera. The front camera and/or the rear camera may receive external multimedia data when the electronic device 800 is in an operation mode, such as a shooting mode or a video mode. Each front camera and rear camera may be a fixed optical lens system or have a focal length and optical zoom capability.
The audio component 810 is configured to output and/or input audio signals. For example, the audio component 810 includes a Microphone (MIC) configured to receive external audio signals when the electronic device 800 is in an operational mode, such as a call mode, a recording mode, and a voice recognition mode. The received audio signals may further be stored in the memory 804 or transmitted via the communication component 816. In some embodiments, audio component 810 also includes a speaker for outputting audio signals.
The I/O interface 812 provides an interface between the processing component 802 and peripheral interface modules, which may be keyboards, click wheels, buttons, etc. These buttons may include, but are not limited to: a home button, a volume button, a start button, and a lock button.
The sensor assembly 814 includes one or more sensors for providing various aspects of state assessment for the electronic device 800. For example, the sensor assembly 814 may detect an open/closed state of the electronic device 800, the relative positioning of components, such as a display and keypad of the electronic device 800, the sensor assembly 814 may also detect a change in the position of the electronic device 800 or a component of the electronic device 800, the presence or absence of user contact with the electronic device 800, orientation or acceleration/deceleration of the electronic device 800, and a change in the temperature of the electronic device 800. Sensor assembly 814 may include a proximity sensor configured to detect the presence of a nearby object without any physical contact. The sensor assembly 814 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, the sensor assembly 814 may also include an acceleration sensor, a gyroscope sensor, a magnetic sensor, a pressure sensor, or a temperature sensor.
The communication component 816 is configured to facilitate wired or wireless communication between the electronic device 800 and other devices. The electronic device 800 may access a wireless network based on a communication standard, such as WiFi, 2G or 3G, or a combination thereof. In an exemplary embodiment, the communication component 816 receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component 816 further includes a Near Field Communication (NFC) module to facilitate short-range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, Ultra Wideband (UWB) technology, Bluetooth (BT) technology, and other technologies.
In an exemplary embodiment, the electronic device 800 may be implemented by one or more Application Specific Integrated Circuits (ASICs), Digital Signal Processors (DSPs), Digital Signal Processing Devices (DSPDs), Programmable Logic Devices (PLDs), Field Programmable Gate Arrays (FPGAs), controllers, micro-controllers, microprocessors or other electronic components for performing the above-described methods.
In an exemplary embodiment, a non-transitory computer-readable storage medium, such as the memory 804, is also provided that includes computer program instructions executable by the processor 820 of the electronic device 800 to perform the above-described methods.
Fig. 6 illustrates a block diagram of an electronic device 1900 in accordance with an embodiment of the disclosure. For example, the electronic device 1900 may be provided as a server. Referring to fig. 6, electronic device 1900 includes a processing component 1922 further including one or more processors and memory resources, represented by memory 1932, for storing instructions, e.g., applications, executable by processing component 1922. The application programs stored in memory 1932 may include one or more modules that each correspond to a set of instructions. Further, the processing component 1922 is configured to execute instructions to perform the above-described method.
The electronic device 1900 may also include a power component 1926 configured to perform power management of the electronic device 1900, a wired or wireless network interface 1950 configured to connect the electronic device 1900 to a network, and an input/output (I/O) interface 1958. The electronic device 1900 may operate based on an operating system, such as Windows Server, stored in memory 1932TM,Mac OS XTM,UnixTM,LinuxTM,FreeBSDTMOr the like.
In an exemplary embodiment, a non-transitory computer readable storage medium, such as the memory 1932, is also provided that includes computer program instructions executable by the processing component 1922 of the electronic device 1900 to perform the above-described methods.
The present disclosure may be systems, methods, and/or computer program products. The computer program product may include a computer-readable storage medium having computer-readable program instructions embodied thereon for causing a processor to implement various aspects of the present disclosure.
The computer readable storage medium may be a tangible device that can hold and store the instructions for use by the instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a Static Random Access Memory (SRAM), a portable compact disc read-only memory (CD-ROM), a Digital Versatile Disc (DVD), a memory stick, a floppy disk, a mechanical coding device, such as punch cards or in-groove projection structures having instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media as used herein is not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission medium (e.g., optical pulses through a fiber optic cable), or electrical signals transmitted through electrical wires.
The computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to a respective computing/processing device, or to an external computer or external storage device via a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. The network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium in the respective computing/processing device.
The computer program instructions for carrying out operations of the present disclosure may be assembler instructions, Instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, the electronic circuitry that can execute the computer-readable program instructions implements aspects of the present disclosure by utilizing the state information of the computer-readable program instructions to personalize the electronic circuitry, such as a programmable logic circuit, a Field Programmable Gate Array (FPGA), or a Programmable Logic Array (PLA).
Various aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.
These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer-readable program instructions may also be stored in a computer-readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer-readable medium storing the instructions comprises an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The computer program product may be embodied in hardware, software or a combination thereof. In an alternative embodiment, the computer program product is embodied in a computer storage medium, and in another alternative embodiment, the computer program product is embodied in a Software product, such as a Software Development Kit (SDK), or the like.
Having described embodiments of the present disclosure, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen in order to best explain the principles of the embodiments, the practical application, or improvements made to the technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

Claims (9)

1. A malicious domain name detection method is characterized by comprising the following steps:
converting a domain name to be detected into a domain name image, wherein the content in the domain name image comprises the text content of the domain name to be detected;
generating a domain name code of the domain name to be detected according to the domain name image;
according to the domain name codes, determining comparison codes in a plurality of preset reference codes, wherein the reference codes are determined according to non-malicious domain names;
determining whether the domain name to be detected is a malicious domain name or not according to the domain name code and the comparison code;
determining whether the domain name to be detected is a malicious domain name according to the domain name code and the comparison code, wherein the determining comprises the following steps:
determining a first number of data bits in the domain name code and the comparison code that are inconsistent;
and determining that the domain name to be detected is a malicious domain name under the condition that the first number is smaller than or equal to a preset number threshold.
2. The method of claim 1, wherein the domain name code comprises a first hash value of the domain name image,
generating the domain name code of the domain name to be detected according to the domain name image, wherein the generating of the domain name code of the domain name to be detected comprises the following steps:
preprocessing the domain name image to obtain an image to be encoded, wherein the preprocessing comprises at least one of scaling processing, gray level processing and binarization processing;
and converting the image to be coded into binary coding to obtain a first hash value of the domain name image.
3. The method of claim 1, further comprising:
respectively converting the non-malicious domain names into reference images, wherein the content in each reference image is the text content of the corresponding non-malicious domain name;
and generating a reference code of each non-malicious domain name according to each reference image.
4. The method of claim 3, wherein the domain name code comprises a first hash value of the domain name image, wherein the reference code comprises a second hash value of the reference image,
wherein, according to the domain name code, determining a comparison code in a plurality of preset reference codes, comprising:
according to the first hash value, determining a third hash value with the minimum difference value with the first hash value in second hash values of a plurality of reference images;
determining the third hash value as the comparison code.
5. The method of claim 1, further comprising:
and determining the domain name to be detected which is different from the text content of each non-malicious domain name in the plurality of first domain names according to the text content of the non-malicious domain names.
6. The method of claim 5, further comprising:
and generating warning information under the condition that the domain name to be detected is a malicious domain name.
7. A malicious domain name detection apparatus, comprising:
the image conversion module is used for converting the domain name to be detected into a domain name image, wherein the content in the domain name image comprises the text content of the domain name to be detected;
the encoding module is used for generating the domain name code of the domain name to be detected according to the domain name image;
the comparison module is used for determining a comparison code in a plurality of preset reference codes according to the domain name code, wherein the reference code is determined according to a non-malicious domain name;
the judging module is used for determining whether the domain name to be detected is a malicious domain name or not according to the domain name code and the comparison code;
wherein the determining module is further configured to: determining a first number of data bits in the domain name code and the comparison code that are inconsistent; and determining that the domain name to be detected is a malicious domain name under the condition that the first number is smaller than or equal to a preset number threshold.
8. An electronic device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to invoke the memory-stored instructions to perform the method of any of claims 1 to 6.
9. A computer readable storage medium having computer program instructions stored thereon, which when executed by a processor implement the method of any one of claims 1 to 6.
CN202110849203.8A 2021-07-27 2021-07-27 Malicious domain name detection method and device, electronic equipment and storage medium Active CN113596016B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110849203.8A CN113596016B (en) 2021-07-27 2021-07-27 Malicious domain name detection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110849203.8A CN113596016B (en) 2021-07-27 2021-07-27 Malicious domain name detection method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN113596016A CN113596016A (en) 2021-11-02
CN113596016B true CN113596016B (en) 2022-02-25

Family

ID=78250518

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110849203.8A Active CN113596016B (en) 2021-07-27 2021-07-27 Malicious domain name detection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113596016B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104079559A (en) * 2014-06-05 2014-10-01 腾讯科技(深圳)有限公司 Web address security detecting method and device and server
CN104079560A (en) * 2014-06-05 2014-10-01 腾讯科技(深圳)有限公司 Web address security detecting method and device and server
CN108092962A (en) * 2017-12-08 2018-05-29 北京奇安信科技有限公司 A kind of malice URL detection method and device

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101826105B (en) * 2010-04-02 2013-06-05 南京邮电大学 Phishing webpage detection method based on Hungary matching algorithm
CN103425736B (en) * 2013-06-24 2016-02-17 腾讯科技(深圳)有限公司 A kind of web information recognition, Apparatus and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104079559A (en) * 2014-06-05 2014-10-01 腾讯科技(深圳)有限公司 Web address security detecting method and device and server
CN104079560A (en) * 2014-06-05 2014-10-01 腾讯科技(深圳)有限公司 Web address security detecting method and device and server
CN108092962A (en) * 2017-12-08 2018-05-29 北京奇安信科技有限公司 A kind of malice URL detection method and device

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
同形异义的国际化域名检测与测量;刘莹等;《东南大学学报(自然科学版)》;20171120;全文 *
基于图像感知哈希技术的钓鱼网页检测;周国强等;《南京邮电大学学报(自然科学版)》;20120831;第32卷(第4期);第59-63页 *
基于图像相似性的Android钓鱼恶意应用检测方法;刘永明等;《计算机系统应用》;20141215(第12期);全文 *
融合半脆弱水印和URL检测的网络钓鱼主动防御机制;王耀钧;《中国优秀硕士学位论文全文数据库》;20130418;全文 *

Also Published As

Publication number Publication date
CN113596016A (en) 2021-11-02

Similar Documents

Publication Publication Date Title
US10601865B1 (en) Detection of credential spearphishing attacks using email analysis
CN110378145B (en) Method and electronic equipment for sharing content
TWI771645B (en) Text recognition method and apparatus, electronic device, storage medium
CN110889469B (en) Image processing method and device, electronic equipment and storage medium
WO2022134382A1 (en) Image segmentation method and apparatus, and electronic device, storage medium and computer program
US11720742B2 (en) Detecting webpages that share malicious content
CN110990801B (en) Information verification method and device, electronic equipment and storage medium
EP3176719A1 (en) Methods and devices for acquiring certification document
CN113569992B (en) Abnormal data identification method and device, electronic equipment and storage medium
KR102550923B1 (en) System for blocking harmful site and method thereof
CN110781813A (en) Image recognition method and device, electronic equipment and storage medium
CN116707965A (en) Threat detection method and device, storage medium and electronic equipment
CN109858274A (en) The method and apparatus that message is shown
US20220400134A1 (en) Defense against emoji domain web addresses
US11762996B2 (en) Detection of fraudulent displayable code data during device capture
CN111625671A (en) Data processing method and device, electronic equipment and storage medium
US20160063274A1 (en) Data Processing Device with Light Indicator Unit
CN106055693B (en) Information processing method and terminal
CN113596016B (en) Malicious domain name detection method and device, electronic equipment and storage medium
CN111275055B (en) Network training method and device, and image processing method and device
CN112953916B (en) Anomaly detection method and device
CN110750448B (en) Test case generation method and device based on symbol execution
CN115996140A (en) Access content acquisition method, device, equipment and storage medium
CN115098196A (en) Verification method and device, electronic equipment and storage medium
CN114118278A (en) Image processing method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant